Dear Colleagues, The RIPE NCC recently announced completion of an action point from the RIPE Database Working Group to hide the password hashes in MNTNER objects from public view. As a follow up to that, we agreed to contact all maintainers and advise them to update their passwords. This was also completed last week. At RIPE 64 we will provide some statistics on the outcome of that advice. The next issue that was raised in the Database Working group session at RIPE 63 was the use of plain text passwords in emails to update data in the RIPE Database. The RIPE NCC would like to invite members of the community to put forward and discuss ideas on resolving this matter. Note that there are now many ways to update objects in the RIPE Database. As well as the traditional email service, there is also Webupdates for single or small numbers of objects to be updated. For scripting of automated updates, there are Syncupdates and the RESTful API. Some ideas that have been suggested during discussions in the past are to disallow the use of passwords in email updates and also the option to drop email updates completely. There may also be other options. As usual, the RIPE NCC will follow any discussions and provide technical input where necessary. Regards, Denis Walker Business Analyst RIPE NCC Database Group
On 15/02/2012 13:15, Denis Walker wrote:
Some ideas that have been suggested during discussions in the past are to disallow the use of passwords in email updates and also the option to drop email updates completely.
Denis, Do you have statistics on approx. how many objects are updated per day using each methods: web interface, email, syncupdates and the RESTful API? Nick
On 15/02/12:8 2:29 PM, Nick Hilliard wrote:
On 15/02/2012 13:15, Denis Walker wrote:
Some ideas that have been suggested during discussions in the past are to disallow the use of passwords in email updates and also the option to drop email updates completely.
Denis,
Do you have statistics on approx. how many objects are updated per day using each methods: web interface, email, syncupdates and the RESTful API?
Nick
Hi Nick Here are some quick stats for this year showing the ration of mail to other from the update logs. To identify the difference between Webupdates, Syncupdates and API would take quite a bit more work digging into all the apache web logs. regards denis
Denis, On Wednesday, 2012-02-15 15:28:24 +0100, Denis Walker <denis@ripe.net> wrote:
On 15/02/12:8 2:29 PM, Nick Hilliard wrote:
On 15/02/2012 13:15, Denis Walker wrote:
Some ideas that have been suggested during discussions in the past are to disallow the use of passwords in email updates and also the option to drop email updates completely.
Denis,
Do you have statistics on approx. how many objects are updated per day using each methods: web interface, email, syncupdates and the RESTful API?
Nick
Hi Nick
Here are some quick stats for this year showing the ration of mail to other from the update logs. To identify the difference between Webupdates, Syncupdates and API would take quite a bit more work digging into all the apache web logs.
So, to summarize the table, 85.4% of updates come through syncupdates, and the rest come through mail. That's an interesting statistic, but doesn't give us a full picture. We expect that heavy database users will prefer syncupdates, so the heavy preference for syncupdates is hardly surprising. I think what is important is to know how many maintainers use each type of authentication. So, of the 470k or so updates in a month, how many maintainers does that represent, and which authentication methods are used? For example, it could be that 5 big ISPs are responsible for 370k updates per month (who use syncupdates), but that the remaining 100k updates are made by 4000 different maintainers, most of which use email and passwords. Of course we can equally find that only a very few maintainers use e-mail (perhaps big ISPs which automated their setup many years ago and have just kept it because it works). My €0,02... -- Shane
HI Shane I pulled out some more stats along the lines of what you asked for below. They are published on RIPE Labs: https://labs.ripe.net/Members/denis/update-statistics-for-the-ripe-database cheers denis On 15/02/12:8 7:29 PM, Shane Kerr wrote:
Denis,
On Wednesday, 2012-02-15 15:28:24 +0100, Denis Walker <denis@ripe.net> wrote:
On 15/02/12:8 2:29 PM, Nick Hilliard wrote:
On 15/02/2012 13:15, Denis Walker wrote:
Some ideas that have been suggested during discussions in the past are to disallow the use of passwords in email updates and also the option to drop email updates completely.
Denis,
Do you have statistics on approx. how many objects are updated per day using each methods: web interface, email, syncupdates and the RESTful API?
Nick
Hi Nick
Here are some quick stats for this year showing the ration of mail to other from the update logs. To identify the difference between Webupdates, Syncupdates and API would take quite a bit more work digging into all the apache web logs.
So, to summarize the table, 85.4% of updates come through syncupdates, and the rest come through mail.
That's an interesting statistic, but doesn't give us a full picture. We expect that heavy database users will prefer syncupdates, so the heavy preference for syncupdates is hardly surprising.
I think what is important is to know how many maintainers use each type of authentication.
So, of the 470k or so updates in a month, how many maintainers does that represent, and which authentication methods are used? For example, it could be that 5 big ISPs are responsible for 370k updates per month (who use syncupdates), but that the remaining 100k updates are made by 4000 different maintainers, most of which use email and passwords.
Of course we can equally find that only a very few maintainers use e-mail (perhaps big ISPs which automated their setup many years ago and have just kept it because it works).
My €0,02...
-- Shane
participants (3)
-
Denis Walker -
Nick Hilliard -
Shane Kerr